RCE in Python Software Foundation Cpython

CVE-2026-4786

Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.000 (6.2th percentile) — read the EPSS interpretation.

Affected products

Python Software Foundation Cpython — versions 0

Weakness classification (CWE)

CWE-77 — Command Injection

References

cna@python.org (patch)
cna@python.org (issue-tracking)
cna@python.org (vendor-advisory)
cna@python.org (patch)
cna@python.org (patch)
cna@python.org (patch)
cna@python.org (patch)
cna@python.org (patch)